oss-sec mailing list archives
CVE Request: invalid curve attack on bouncycastle
From: Raphael Hertzog <hertzog () debian org>
Date: Thu, 22 Oct 2015 12:25:12 +0200
Hello, bouncycastle versions older than 1.51 are vulnerable to an invalid curve attack as described in this article: http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html The attack allows to extract private keys used in elliptic curve crytpography with a few thousands queries. According to upstream developer Peter Dettman, the issue has been fixed with those two commits: https://github.com/bcgit/bc-java/commit/5cb2f05 https://github.com/bcgit/bc-java/commit/e25e94a Could a CVE be assigned to this issue? Thank you. PS: Please CC me as I'm not subscribed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Current thread:
- CVE Request: invalid curve attack on bouncycastle Raphael Hertzog (Oct 22)
- Re: CVE Request: invalid curve attack on bouncycastle cve-assign (Oct 22)